Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(audit): select which dependency groups to audit #6724

Merged
merged 3 commits into from Mar 16, 2019
Merged

feat(audit): select which dependency groups to audit #6724

merged 3 commits into from Mar 16, 2019

Conversation

tommilligan
Copy link
Contributor

@tommilligan tommilligan commented Nov 27, 2018
edited

Summary

Closes #6632.

Currently yarn audit shows vulnerabilities for production, development and optional dependencies. It would be useful to only audit production dependencies, or select which groups of dependencies to audit.

Test plan

master
$ yarn audit --prod
...
9 vulnerabilities found - Packages audited: 31177
Severity: 9 Low
Done in 2.24s.
this PR
$ yarn audit --groups dependencies
...
0 vulnerabilities found - Packages audited: 442
Done in 2.08s.

I look forward to hearing some feedback!

@tommilligan tommilligan changed the title audit: respect production flag in audit and install commands feat(audit): select which dependency groups to audit Nov 28, 2018
@Jalle19
Copy link

Jalle19 commented Nov 28, 2018

Looks like a pragmatic solution to me (commenting here mostly to get notified if this moves forward)

@syrnick
Copy link

syrnick commented Dec 11, 2018

Very helpful!

@Jalle19
Copy link

Jalle19 commented Jan 7, 2019

Any updates on this?

@charrondev
Copy link

charrondev commented Feb 18, 2019
edited

Are any of the maintainers going to chime in here? Without this it is difficult to run audits in CI. My team is not going to stop the world because of a low severity DoS in our test runner for example. We do want to stop the world and fix a higher severity issue in a package shipped to production however.

@iflp
Copy link

iflp commented Mar 14, 2019

@arcanis - please take a look at this, thanks!

@arcanis
Copy link
Member

arcanis commented Mar 14, 2019

Ping @rally25rs ?

rally25rs
rally25rs approved these changes Mar 15, 2019
View reviewed changes
Copy link
Contributor

@rally25rs rally25rs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the long delay. Thanks for the contribution! 🎉

@rally25rs
Copy link
Contributor

rally25rs commented Mar 15, 2019
edited

@tommilligan it looks like some of the audit unit tests now fail due to another change to audit that adds whether or not it is a dev dep. Would you mind resolving the failing tests? (or I'll see if I can push a commit to fix it...)

Edit:

Never mind, I figured out how to push a commit. Github really doesn't like to make it obvious 😆

@rally25rs rally25rs merged commit 6dbedcc into yarnpkg:master Mar 16, 2019
@rgpass rgpass mentioned this pull request Apr 16, 2019
Closed
@ghost ghost mentioned this pull request May 10, 2019
Closed
sarod added a commit to sarod/website-1 that referenced this pull request Mar 3, 2020
@sarod
Document yarn audit --group group_name
514e044 
Basic doc for  yarn audit --group command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
sarod added a commit to sarod/website-1 that referenced this pull request Mar 3, 2020
@sarod
Document yarn audit --groups
9dec253 
Basic doc for  yarn audit --groups command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
@sarod sarod mentioned this pull request Mar 3, 2020
Merged
Haroenv pushed a commit to yarnpkg/website that referenced this pull request Mar 3, 2020
@sarod
Document yarn audit --groups (#1046)
db7bf14 
Basic doc for  yarn audit --groups command introduced byhttps://github.com/yarnpkg/yarn/pull/6724
@OZZlE
Copy link

OZZlE commented May 24, 2021
edited

Seems like a great idea but doesn't seem to work, it's complaining about devDepencencies anyway

I tried both yarn audit --prod and yarn audit --groups dependencies it still reports devDepencencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rally25rs rally25rs rally25rs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add a flag to ignore devDependencies when running yarn audit
8 participants
@tommilligan @Jalle19 @syrnick @charrondev @iflp @arcanis @rally25rs @OZZlE